Firewall misconfiguration - am I screwed?

9 posts / 0 new
Last post
#1 Wed, 05/06/2015 - 18:58
robbrandt

Firewall misconfiguration - am I screwed?

I was setting up a server with some firewall settings and seem to have locked myself out. This is the first time I have used "webmin Linux Firewall" to do the configuration settings.

What I did was simple. I accepted the option at the beginning to "allow all traffic". Then, I wanted to block one particular IP address from access, so for Incoming Packets I clicked on Add Rule, Action to Take = Drop, Source address or network = the IP address, clicked on the create button, applied the configuration, and then everything went dead. Everywhere. All IP addresses from anywhere I could try. Unfortunately Active at Boot was also set, so rebooting won't get me to "start over".

I am hoping that someone with knowledge of what Webmin does here will know what exactly the settings would have been saved as, and possibly know what might work to get me back in again.

Fortunately this is a utility server, so no public sites have gone offline. But it would take a while to rebuild everything that's on here.

This is on an Amazon instance, for what it's worth.

Wed, 05/06/2015 - 22:40
andreychek

Howdy,

Webmin just edits the standard Linux firewall using iptables, so if you can get console access, you can run some commands on the command line to clear the existing firewall.

Do you have any sort of console access?

If so, you could run these commands:

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
Wed, 05/06/2015 - 22:58
robbrandt

I haven't been able to get any kind of console access. I have tried ssh & telnet; I don't have plain ftp installed. Naturally I've tried webmin too.

I'm hoping that someone can take a guess at what the iptables conf might look like based on my description above, and from that get an idea of what might be open.

Wed, 05/06/2015 - 23:55
Diabolico
Diabolico's picture

You need to be able to connect with SSH or console. If you are on SolusVM then you could use "Serial Console" and generate username and password for SSH for limited time. Once you log with ssh:

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

If you used console save the rules and then go back to your normal SSH or Webmin. On side note you should NEVER set your iptables to allow all incoming traffic on all ports. Trust me you are just asking for some serious problems.

In case you dont have Console (for whatever reason) then ask your host to reset your iptables. If your host dont want to do this (unmanaged service) then only option is to drop everything and reinstall OS again.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Thu, 05/07/2015 - 00:14
robbrandt

Thanks. This server is on Amazon, and until this point we managed access to the server via AWS security policies, so it wasn't really as open as it sounds.

The host is amazon, so it is a virtual server. I don't know that there's a way to fake a serial connection on a virtual instance. I see several support requests for Amazon to support serial console support, but it doesn't appear to at the moment.

SolusVM is something that runs/can run in Amazon? Looks like an alternative, not a part of Amazon.

Thu, 05/07/2015 - 03:35
Diabolico
Diabolico's picture

SolusVM is virtualization software but you have others like KVM or XEN. How it works on amazon i dont know as i never used their service, expensive and frankly there are better options. So if you dont have console then only option is to ask them to reset your iptables or re-install everything from beginning. You just locked yourself out and there is no other way to sort your problem. In case you are using that free part of amazon good luck, not sure if they will even bother with your problem but its worth a try (maybe with some nice and polite email/support ticket).

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Thu, 05/07/2015 - 08:46
andreychek

Howdy,

While I don't have personal experience with Amazon's EC2, I found this document here which describes a way to recover an unreachable EC2 instance:

https://aws.amazon.com/articles/5213606968661598

Thu, 05/07/2015 - 10:50
robbrandt

Thanks, that's promising. I will try this today.

Thu, 05/07/2015 - 19:59
robbrandt

Success! Thank you audreychek for the link, it went perfectly.

We have been using Amazon for about 3 years now and love it more and more. I'm not sure what circumstances others are in, but it is much cheaper for us because we don't have to commit to server capacity we only need for brief periods during the year. When those periods hit we just upgrade to a bigger instance and then downgrade after it's over, or we might soon start using auto-scaling for it to spin up additional instances in a cluster. But besides the cost, it flexibility and services have made our lives so much easier. They keep coming up with new services and features we didn't know we needed until we found out about them.

Topic locked